USG 110 VPN VPN access with domain users

alexpe
alexpe Posts: 42  Freshman Member
First Comment Friend Collector Fourth Anniversary

hi,

I am configuring L2TP VPN access with AD users.

Within the AAA Server configuration I have configured access to the domain, I do a test with the user "Alejandro" and it is OK.

I have configured an L2TP VPN connection and with a local user in the USG it works without problem.

I have created a global security group in my company's AD and I have added the domain user "Alejandro". Within the USG configuration I have created a user to the domain security group.

In the VPN connection settings I select that group for access. When connecting the VPN it gives an error.

I review the USG LOG and it indicates that the name or username is incorrect (and the username or password is correct)

Even though the connection user puts it with the domain name in front in the LOG, the same error occurs.

Where could the error be?

Thank you very much in advance for your help.

All Replies

  • smb_corp_user
    smb_corp_user Posts: 168  Master Member
    5 Answers First Comment Friend Collector Second Anniversary

    Sorry that I do not know the exact answer here. If I had this issue, I would have looked for a way to get a Debug Log to verify the exact username and password received by the USG, to find out if it is receiving a different kind of user information than the intended username & password combination.

  • alexpe
    alexpe Posts: 42  Freshman Member
    First Comment Friend Collector Fourth Anniversary

    hi,

    I don't know what the problem is exactly either. Apparently everything is correct, even the username and password are correct in an RDP session. In the log of my USG it can be seen perfectly how the user until the USG arrives but does not validate it.

    I don't know very well what to do anymore.

  • smb_corp_user
    smb_corp_user Posts: 168  Master Member
    5 Answers First Comment Friend Collector Second Anniversary

    I have no personal experience in this setup or how the USG gets the AD information, so I can only suggest the simplest of things. Just as a last ditch effort, try to set a very simple password (e.g. pass1234) to avoid any incorrect communication of the password information to the USG.

    Other than that, I can only hope for some feedback from the Zyxel team members.

  • PCBjorn
    PCBjorn Posts: 1
    First Comment

    This started happening with us over the holidays. Two sites that used to authenticate using AD now fail to do so.

    As a temporary fix we have set up Nebula Authentication instead, but this seems to be an issue either on Microsoft's or ZyXel's side, not ours.

    I suggest you create a support ticket, then share your findings here in the forum.

  • alexpe
    alexpe Posts: 42  Freshman Member
    First Comment Friend Collector Fourth Anniversary

    Thanks for your comments, but this way of authenticating through AD is new before I only used local authentication.

    As I indicated above in my first post, in the USG tests the AD is correct, but when I test it with a PC it gives an incorrect username and password error (and they are correct.

    I think my problem comes with the username I set in the VPN settings on the PC.

  • alexpe
    alexpe Posts: 42  Freshman Member
    First Comment Friend Collector Fourth Anniversary

    I have performed the following test: I have changed the default authentication method and added the "AD group" and I have tried logging into the USG itself with a domain user and it accesses without problem. Communication with the AD is correct.

    But when connecting with the VPN it still indicates the wrong username and password. I understand that for some reason the domain controller is rejecting the login.

    Can anybody help me?

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,251  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    Hello @alexpe

    Could you provide a remote Web-GUI link for further inspection? We will send you a private message later; please check your inbox. Thanks


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • Jenz
    Jenz Posts: 5  Freshman Member
    First Comment Friend Collector First Anniversary
  • GIT
    GIT Posts: 2  Freshman Member
    First Comment

    I have the exactly same problem. Is there any solution available? Everything is done correctly with the integration of the AD and all tests are passed … and when I use the Windows L2TP VPN it's not working. Maybe something needs to be done from the Windows client side? Zyxel, help!

Security Highlight